Increase web application stack security (LAMP virtualization, step 5/6)
Configuring the Lighttpd web server to work with network file system static files (NFS)
The fifth lesson in the series of articles on configuring the LAMP web stack on virtual machines will be devoted to serving static files.
The lighttpd web server is responsible for providing access via the HTTP or HTTPS protocol to static content. In this example, I'm going to install and use the Lighttpd web server, binding the DocumentRoot to vm05: / exports / static mounted mounted in / var / www / static . All the commands below you need to enter exclusively on vm01 with the IP address 192.168.1.10 .
Configure NFS Client
Using the yum-manager, install the NFS client packages:
# yum groupinstall "Network file system client" Or a little easier:
# yum install nfs-utils nfs4-acl-tools Enable the NFSv4 client services:
# chkconfig rpcbind on # chkconfig rpcidmapd on # chkconfig nfslock on /etc/idmapd.conf nfs client configuration
Edit nfs client configuration file
# vi /etc/idmapd.conf Make sure that the parameters are set to match the domain name of the NFS server:
Domain = cyberciti.biz [Mapping] Nobody-User = nobody Nobody-Group = nobody Save and close the file. Run all NFS client services:
# /sbin/service rpcbind start # /sbin/service rpcidmapd start # /sbin/service nfslock start ')
Create a user account
We will run the Lighttpd web server only from under the apache user. To add a user account in Linux , enter the following commands:
# /usr/sbin/groupadd -g 48 apache # /usr/sbin/useradd -s /sbin/nologin -g 48 -u 48 -M -d /var/www apache # /usr/bin/passwd -l apache Mount the file system
Enter the following command:
# showmout -e vm05 Example output:
Export list for v.txvip1: /exports/html 192.168.1.10,192.168.1.11 /exports/static 192.168.1.10,192.168.1.11 Mount / exports / static folder of the file nfs-system to / var / www / static
# mkdir /var/www/static # /bin/mount -t nfs4 -orsize=32768,wsize=32768,intr,hard,proto=tcp,sync vm05:/exports/static /var/www/static/ Edit the / etc / fstab file :
# vi /etc/fstab Mounting a file system via / etc / fstab
Edit / etc / fstab:
# vi /etc/fstab Add the following line:
vm05:/exports/static /var/www/static nfs4 orsize=32768,wsize=32768,intr,hard,proto=tcp,sync Save and close the file. Make sure the netfs service is enabled:
# chkconfig netfs on Finally, make sure that the apache user sees our files.
# su - apache $ ls /var/www/static/ $ exit # Please note that the root user or any other user does not see / var / www / static because of the security policy we have established. This is the only lighttpd user with access to DocumentRoot.
Install Lighttpd web server
Connect the EPEL repository and install the Lighttpd web server
# yum install lighttpd Example console output:
Loaded plugins: rhnplugin Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package lighttpd.x86_64 0:1.4.28-3.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================== Package Arch Version Repository Size ========================================================================== Installing: lighttpd x86_64 1.4.28-3.el6 epel 328 k Transaction Summary ========================================================================== Install 1 Package(s) Total download size: 328 k Installed size: 878 k Is this ok [y/N]: y Downloading Packages: lighttpd-1.4.28-3.el6.x86_64.rpm | 328 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : lighttpd-1.4.28-3.el6.x86_64 1/1 Installed: lighttpd.x86_64 0:1.4.28-3.el6 Complete! Setting up a Lighttpd web server
Edit /etc/lighttpd/lighttpd.conf by entering the following commands:
# mv /etc/lighttpd/lighttpd.{conf,default.bak}<br /> # vi /etc/lighttpd/lighttpd.conf Enter the following settings:
## http://static.cyberciti.biz server.modules = ( "mod_expire", "mod_access", "mod_accesslog", "mod_setenv", "mod_extforward" ) server.errorlog = "/var/log/lighttpd/error.log" accesslog.filename = "/var/log/lighttpd/access.log" index-file.names = ( "index.html", "index.htm", "default.htm" ) server.tag = "lighttpd" server.network-backend = "linux-sendfile" ## lan- ## server.port = "80" server.bind = "192.168.1.10" server.document-root = "/var/www/static" server.pid-file = "/var/run/lighttpd.pid" server.username = "apache" server.groupname = "apache" ## 30 ## $HTTP["url"] =~ "^/" { expire.url = ( "" => "access 30 days" ) } ### ip- ### ### 192.168.1.{1,2} == nginx resverse proxy server ## extforward.headers = ("X-Forwarded-For") extforward.forwarder = ( "192.168.1.1" => "trust", "192.168.1.2" => "trust" ) ## ## mimetype mapping ## include "conf.d/mime.conf" Save and close the file
Configuring iptables to access the web-server
Edit the / etc / sysconfig / Iptables file by adding the following parameters (make sure that they are written before the final LOG and DROP settings of the INPUT chain):
## ## -A INPUT -m state --state NEW -p tcp -s 192.168.1.0/24 --dport 80 -j ACCEPT Save, close. Restart iptables :
# /sbin/service iptables restart # /sbin/iptables -L -v -n Turn on Lighttpd
Start the Lighttpd web server with the following command: # chkconfig lighttpd on # service lighttpd start Cut in the browser and break into our server:
http://192.168.1.10/ - Prologue
- Step # 1: Setup / Installation: NFS File Server
- Step 2: Setup / Installation: MySQL Database Server
- Step 3: Configure / Install: Memcached Caching Server
- Step # 4: Setup / Installation: Apache + php5 web server application
- Step 5: Configure / Install: Lighttpd Web Server for Static Assets
- Step 6: Setup / Installation: Nginx reverse (reverse) proxy server
Source: https://habr.com/ru/post/148490/
All Articles